ORM is a subset of Enterprise Risk Management (ERM). More specifically, ORM addresses operational and compliance risks and is thought of as an extension of process safety. The goal of ERM is to mitigate financial, operational and compliance risks to an acceptable level through policies, systems and procedures.
In effect as the market has moved away from compliance to risk management, ORM is an evolution of traditional EHS compliance. In traditional ERM vs. ORM language, ORM is focused on everything that is non-financial in nature… although as we’ve discussed, in reality all types of risk have the potential for financial impact.
This shift has largely been driven by companies starting to plateau in safety and environmental performance (i.e. Total Recordable Incident Rate). To make risk management more practical, companies are starting to broaden their view of risk management to include non-EHS areas such as supply chain, operations, maintenance, capital projects, and engineering. The outcome is a risk registry that looks at all operational risks through a lens that creates a level playing field to properly prioritizing and actioning issues in real-time. While EHS / PSM compliance are foundational to privilege to operate, having a comprehensive ORM framework goes far toward getting away from after the fact “reactive” compliance is key in identifying threats before they materialize.
The current view of ORM that seems to permeate the analyst community is primarily focused on traditional EHS compliance activities such as Audit, PHA, Incident Investigation, and Corrective Action Management. Other tools such as Bowtie analysis and work permitting are added into the viewpoint…but the focus is still firmly on traditional, siloed tactics specific to EHS or compliance activities. Because EHS and compliance do not focus on risk of production loss through inefficiencies, poor asset management, workforce competency, and conduct of operations, the typical EHS-first view of ORM doesn’t really address real risks that can have significant impact on an organization’s future.
In its simplest form, Enterprise Risk Management (ERM) is the holistic business approach an entity uses to manage the various threats and opportunities it encounters while accomplishing its mission. Risk is defined as any event that impacts a company’s ability to meet its objectives (losses and opportunities). So, creating an enterprise level system to manage risk (an ERM system) allows an organization to transparently communicate business risk to internal and external stakeholders.
The following is a maturity roadmap to manage operational risk: